Class: LcpRuby::Auth::CallbacksController

Inherits:

LcpRuby::ApplicationController

• Object
• LcpRuby::ApplicationController
• LcpRuby::Auth::CallbacksController

Includes:

Devise::Controllers::Helpers, BaseController

Defined in:

app/controllers/lcp_ruby/auth/callbacks_controller.rb

Overview

Receives the OIDC callback from OmniAuth, hands the auth_hash to UserResolver, and signs the user in via Warden. Routes are drawn in config/routes.rb behind ProviderRegistry.oidc_enabled?.

Constant Summary

ALLOWED_FAILURE_REASONS =

%w[
  invalid_credentials access_denied no_role_match host_rejected unknown_provider generic
].freeze

EXCEPTION_TO_REASON =

{
  LcpRuby::Authentication::UnknownProvider => "unknown_provider",
  LcpRuby::Authentication::NoRoleMatch     => "no_role_match",
  LcpRuby::Authentication::HostRejected    => "host_rejected",
  LcpRuby::Authentication::InvalidClaims   => "invalid_credentials"
}.freeze

Constants included from Controller::BearerAuthentication

Controller::BearerAuthentication::BASIC_PREFIX_LENGTH, Controller::BearerAuthentication::BEARER_PREFIX_LENGTH

Instance Method Summary

• #callback ⇒ Object
• #failure ⇒ Object
• #passthru ⇒ Object

Methods included from Controller::Authorization

#current_evaluator

Instance Method Details

#callback ⇒ Object

# File 'app/controllers/lcp_ruby/auth/callbacks_controller.rb', line 37

def callback
  provider = LcpRuby::Authentication::ProviderRegistry.find(params[:provider])
  auth     = omniauth_auth

  unless auth
    Rails.logger.warn(
      "[lcp_ruby] OIDC callback missing omniauth.auth provider=#{params[:provider]} " \
      "request_id=#{request.request_id}"
    )
    redirect_to lcp_ruby.oidc_failure_path(reason: "invalid_credentials") and return
  end

  user = LcpRuby::Authentication::UserResolver.call(auth: auth, provider: provider)

  # Capture session state we want to preserve, then rotate the session
  # to prevent fixation: an attacker who planted a session cookie before
  # the OIDC round-trip must not retain that cookie post-login.
  return_to = safe_return_to(stored_location_for(:user))

  # id_token (a 3–4 KB JWT) is only needed at sign-out for RP-initiated
  # logout — stashing it for `logout.mode: local` would just bloat the
  # session and risk overflowing the 4 KB cookie store limit, with no
  # functional benefit. Skip the stash for local-logout providers.
  id_token = if provider.logout[:mode] == :rp_initiated
    auth.respond_to?(:credentials) && auth.credentials.respond_to?(:id_token) ?
      auth.credentials.id_token : nil
  end

  reset_session
  session[:oidc_id_token] = id_token if id_token

  sign_in(user, event: :authentication)
  redirect_to signed_in_redirect_path(return_to)
rescue *EXCEPTION_TO_REASON.keys => e
  if e.is_a?(LcpRuby::Authentication::InvalidClaims)
    Rails.logger.warn(
      "[lcp_ruby] OIDC invalid_claims provider=#{params[:provider]} " \
      "request_id=#{request.request_id}: #{e.message}"
    )
  end
  redirect_to lcp_ruby.oidc_failure_path(reason: EXCEPTION_TO_REASON.fetch(e.class))
end

#failure ⇒ Object

# File 'app/controllers/lcp_ruby/auth/callbacks_controller.rb', line 80

def failure
  candidates = [ params[:reason].to_s, request.env["omniauth.error.type"]&.to_s ]
  @reason = candidates.find { |r| ALLOWED_FAILURE_REASONS.include?(r) } || "generic"
  @exception   = request.env["omniauth.error"]
  @request_id  = request.request_id
  provider_log = params[:provider] || request.env["omniauth.error.strategy"]&.name
  Rails.logger.warn(
    "[lcp_ruby] OIDC failure reason=#{@reason} provider=#{provider_log} " \
    "request_id=#{@request_id} exception=#{@exception&.class&.name}"
  )
  render "lcp_ruby/auth/callbacks/failure"
end

#passthru ⇒ Object

# File 'app/controllers/lcp_ruby/auth/callbacks_controller.rb', line 30

def passthru
  # OmniAuth normally intercepts /auth/:provider during the request phase.
  # Reaching this action means the middleware was bypassed (misconfiguration
  # or an unknown provider).
  render plain: I18n.t("lcp_ruby.auth.failure.generic", default: "Not found"), status: :not_found
end